Security+ Mod 4: Threats, Attacks, and Vulnerabilities
What is a dictionary attack?
* uses predetermined list of words * because most people use common words, a high percentage of passwords are guessed * checks concatenation of words
What is a birthday attack?
- a birthday attack focuses on finding collisions - finding two passwords that have the same hash value-- attacker generates multiple versions of plaintext to match the hashes
What are the 7 main social engineering principles?
1. Authority- the social engineer is in charge-- ex. i'm calling from the help desk/office of the CEO/police 2. Intimidation- there will be bad things if you don't help-- ex. the paychecks won't be processed 3. Consensus- this is basically social proof: convince based on what's normally expected-- ex. your coworker Jill did this for me last week 4. Scarcity- must make change before time expires 5. Familiarity- someone you know-- ex. we have common friends 6. Trust- someone who is safe-- ex. i'm from IT and I'm here to help 7. Urgency- works alongside scarcity-- act quickly, don't think
What is driver manipulation?
using the operating system's drivers in a malicious way to gain access to the system
What is RAT?
remote access Trojan-- this is the most common type of Trojan, it has basic Trojan functionality but also gives threat agent unauthorized remote access to the victim's computer by using specially configured communication protocols
What is a downgrade attack?
A downgrade attack is a form of cryptographic attack on a computer system or communications protocol that makes it abandon a high-quality mode of operation in favor of an older, lower-quality mode of operation that is typically provided for backward compatibility with older systems
What is shimming?
A driver shim is additional code that can be run instead of the original driver. When an application attempts to call an older driver, the operating system intercepts the call and redirects it to run the shim code instead. Attackers with strong programming skills can use their knowledge to manipulate drivers by either creating shims, or by rewriting the internal code. If the attackers can fool the operating system into using a manipulated driver, they can cause it to run malicious code contained within the manipulated driver.
What is privilege escalation?
A process by which an attacker elevates their privileges on a compromised system or network to obtain admin-level access
What is a pass the hash attack?
A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems. The threat actor doesn't need to decrypt the hash to obtain a plain text password. PtH attacks exploit the authentication protocol, as the passwords hash remains static for every session until the password is rotated
Which of these is a true statement concerning active interception? a)When a computer is put between a sender and receiver b)When a person overhears a conversation c)When a person looks through files d)When a person hardens an operating system
Answer: A. Explanation: Active interception normally includes a computer placed between the sender and the receiver to capture information. All other statements concerning active interception are false. If a person overhears a conversation it can be considered eavesdropping. When a person looks through files it can be normal or malicious. When a person hardens an operating system, that person is making it more secure.
A coworker goes to a website but notices that the browser brings her to a different website and that the URL has changed. What type of attack is this? a)DNS poisoning b)Denial of service c)Buffer overflow d)ARP poisoning
Answer: A. Explanation: DNS poisoning can occur at a DNS server and can affect all clients on the network. It can also occur at an individual computer. Another possibility is that spyware has compromised the browser. A denial-of-service is a single attack that attempts to stop a server from functioning. A buffer overflow is an attack that, for example, could be perpetuated on a web page. ARP poisoning is the poisoning of an ARP table, creating confusion when it comes to IP address-to-MAC address resolutions.
Of the following definitions, which would be an example of eavesdropping? a)Overhearing parts of a conversation b)Monitoring network traffic c)Another person looking through your files d)A computer capturing information from a sender
Answer: A. Explanation: Eavesdropping is when people listen to a conversation that they are not part of. A security administrator should keep in mind that someone could always be listening, and thus should always try to protect against this.
What is ARP poisoning
ARP poisoning is the poisoning of an ARP table, creating confusion when it comes to IP address-to-MAC address resolutions.
What is an IV attack?
An initialization vector (IV) attack is an attack on wireless networks. It modifies the IV of an encrypted wireless packet during transmission. Once an attacker learns the plaintext of one packet, the attacker can compute the RC4 key stream generated by the IV used.
What is an NFC attack?
security concern with NFC is that it's a wireless network, and has a 10 meter range and can be captured-- vulnerable to jamming, replay/man in the middle, or loss of NFC device
What is a cross site request forgery (xsrf)?
session riding, one click attack-- makes unauthorized commands from a trusted user to the website, often done without the user's knowledge and usually involves social networking to pull off
What is a keylogger?
software the records users keystrokes and mouseclicks
Which of the following would be considered detrimental effects of a virus hoax? (Select the two best answers.) a)Technical support resources are consumed by increased user calls. b)Users are at risk for identity theft. c)Users are tricked into changing the system configurations. d)The e-mail server capacity is consumed by message traffic.
Answer: A and C. Explanation: Because a virus can affect many users, technical support resources can be consumed by an increase in user phone calls. This can be detrimental to the company because all companies have a limited number of technical support personnel. Another detrimental effect is that unwitting users may be tricked into changing some of their computer system configurations. The key term in the question is "virus hoax." The technical support team might also be inundated by support e-mails from users, but not to the point where the e-mail server capacity is consumed. If the e-mail server is consumed by message traffic, that would be a detrimental effect caused by the person who sent the virus and by the virus itself but not necessary by the hoax. Although users may be at risk for identity theft, it is not one of the most detrimental effects of the virus hoax.
What devices will not be able to communicate in a Faraday cage? (Select the two best answers.) a)Smartphones b)Servers c)Tablets d)Switches
Answer: A and C. Explanation: Signals cannot emanate outside a Faraday cage. Therefore, smartphones and tablets (by default) will not work inside the Faraday cage. Generally, a Faraday cage is "constructed" for a server room, data center, or other similar location. Servers and switches are common in these places and are normally wired to the network, so they should be able to communicate with the outside world.
In addition to bribery and forgery, which of the following are the most common techniques that attackers use to socially engineer people? (Select the two best answers.) a)Flattery b)Assuming a position of authority c)Dumpster diving WHOIS search
Answer: A and C. Explanation: The most common techniques that attackers use to socially engineer people include flattery, dumpster diving, bribery, and forgery. Although assuming a position of authority is an example of social engineering, it is not one of the most common. A WHOIS search is not necessarily malicious; it can be accomplished by anyone and can be done for legitimate reasons. This type of search can tell a person who runs a particular website or who owns a domain name.
You have been ordered to implement a secure shredding system as well as privacy screens. What two attacks is your organization attempting to mitigate? a)Shoulder surfing b)Impersonation c)Phishing d)Dumpster diving e)Tailgating
Answer: A and D. Explanation: The privacy screens are being implemented to prevent shoulder surfing. The secure shredding system is being implemented to mitigate dumpster diving. Impersonation is when an unauthorized person masquerades as a legitimate, authorized person. Phishing is when an attacker attempts to fraudulently obtain information through e-mail scams. Tailgating is when a person (without proper credentials) attempts to gain access to an unauthorized area by following someone else in.
In which two environments would social engineering attacks be most effective? (Select the two best answers.) a)Public building with shared office space b)Company with a dedicated IT staff c)Locked building d)Military facility e)An organization whose IT personnel have little training
Answer: A and E. Explanation: Public buildings with shared office space and organizations with IT employees who have little training are environments in which social engineering attacks are common and would be most successful. Social engineering will be less successful in secret buildings, buildings with a decent level of security such as military facilities, and organizations with dedicated and well-trained IT staff.
User education can help to defend against which of the following? (Select the three best answers.) a)Social engineering b)Phishing c)Rainbow tables d)Dumpster diving
Answer: A, B, and D. Explanation: User education and awareness can help defend against social engineering attacks, phishing, and dumpster diving. Rainbow tables are lookup tables used when recovering passwords.
A group of compromised computers that have software installed by a worm or Trojan is known as which of the following? a)Botnet b)Virus c)Rootkit d)Zombie
Answer: A. Explanation: A botnet is a group of compromised computers, usually working together, with malware that was installed by a worm or a Trojan horse. An individual computer within a botnet is referred to as a zombie (among other things). A virus is code that can infect a computer's files. A rootkit is a type of software designed to gain administrator-level access to a system.
What is zero day?
speaking about an application, this is a vulnerability that hasn't been detected or published yet
Which of the following enables an attacker to float a domain registration for a maximum of five days? a)Kiting b)DNS poisoning c)Domain hijacking spoofing
Answer: A. Explanation: Kiting is the practice of monopolizing domain names without paying for them. Newly registered domain names can be canceled with a full refund during an initial five-day window known as an AGP, or add grace period. Domain hijacking is another type of hijacking attack where the attacker changes the registration of a domain name without the permission of the original owner/registrant.
One of your users was not being careful when browsing the Internet. The user was redirected to a warez site where a number of pop-ups appeared. After clicking one pop-up by accident, a drive-by download of unwanted software occurred. What does the download most likely contain? a)Spyware b)DDoS c)Backdoor d)Logic bomb
Answer: A. Explanation: Of the answers listed, the download most likely contains spyware. It could contain other types of malware as well, such as viruses, Trojans, worms, and so on. The rest of the answers are types of network attacks and methods of accessing the computer to drop a malware payload.
. Which of these is an example of social engineering? a)Asking for a username and password over the phone b)Using someone else's unsecured wireless network c)Hacking into a router d)Virus so-style-
Answer: A. Explanation: Social engineering is the practice of obtaining confidential information by manipulating people. Using someone else's network is just theft. Hacking into a router is just that, hacking. And a virus is a self-spreading program that may or may not cause damage to files and applications.
Which of the following defines the difference between a Trojan horse and a worm? (Select the best answer.) a)Worms self-replicate but Trojan horses do not. b)The two are the same. c)Worms are sent via email; Trojan horses are not. d)Trojan horses are malicious attacks; worms are not.
Answer: A. Explanation: The primary difference between a Trojan horse and a worm is that worms will self-replicate without any user intervention; Trojan horses do not self-replicate.
Which type of malware does not require a user to execute a program to distribute the software? a)Worm b)Virus c)Trojan horse d)Stealth
Answer: A. Explanation: Worms self-replicate and do not require a user to execute a program to distribute the software across networks. All the other answers do require user intervention. Stealth refers to a type of virus.
You have been given the task of scanning for viruses on a PC. What is the best of the following methods? a)Recovery environment b)Dual-boot into Linux c)Command Prompt only d)Boot into Windows normally
Answer: A. Explanation: You should use a recovery environment. Most often, this would be the one built into Windows. Many manufacturers suggest using this, and more specifically Safe Mode. However, it could also be a Linux rescue disc or flash drive. That's not a true dual-boot though. An actual dual-boot is when Windows and Linux are both installed to the hard drive. Command Prompt only is not enough, nor is it necessary for some virus scanning scenarios. Booting into Windows normally is tantamount to doing nothing. Remember to use a recovery environment when scanning for viruses.
A type of virus that takes advantage of various mechanisms specifically designed to make tracing, disassembling and reverse engineering its code more difficult is known as: a)Armored virus b)Rootkit c)Logic bomb d)Backdoor
Answer: A. Armored virus Explanation: A type of virus that takes advantage of various mechanisms specifically designed to make tracing, disassembling and reverse engineering its code more difficult is known as armored virus.
Which of the following terms refers to a situation where no alarm is raised when an attack has taken place? a)False negative b)True positive c)False positive d)True negative
Answer: A. False negative Explanation: A situation where no alarm is raised when an attack has taken place is an example of a false negative error.
Malicious code activated by a specific event is known as: a)Logic bomb b)Spyware c)Trojan horse d)Armored virus
Answer: A. Logic bomb Explanation: Malicious code activated by a specific event is known as logic bomb.
Which of the following answers refers to malicious software performing unwanted and harmful actions in disguise of a legitimate and useful program? a)Trojan horse b)Spyware c)Logic bomb d)Adware
Answer: A. Trojan horse Explanation: Software that performs unwanted and harmful actions in disguise of a legitimate and useful program is referred to as a Trojan horse. This type of malware may act like a legitimate program and have all the expected functionalities, but apart from that it will also contain a portion of malicious code appended to it that the user is unaware of.
A targeted e-mail attack is received by your organization's CFO. What is this an example of? a)Vishing b)Phishing c)Whaling d)Spear phishing
Answer: C. Explanation: Whaling is a type of spear phishing that targets senior executives such as CFOs. Regular old phishing does not target anyone, but instead tries to contact as many people as possible until an unsuspecting victim can be found. Vishing is the telephone-based version of phishing. Spear phishing does target individuals but not senior executives.
If a fire occurs in the server room, which device is the best method to put it out? a)Class A extinguisher b)Class B extinguisher c)Class C extinguisher d)Class D extinguisher
Answer: C. Explanation: When you think Class C, think copper. Extinguishers rated as Class C can suppress electrical fires, which are the most likely kind in a server room.
When users in your company attempt to access a particular website, the attempts are redirected to a spoofed website. What are two possible reasons for this? a)DoS b)DNS poisoning c)Modified hosts file d)Domain name kiting
Answer: B and C. Explanation: DNS poisoning and a DNS server's modified hosts files are possible causes for why a person would be redirected to a spoofed website. DoS, or denial-of- service, is when a computer attempts to attack a server to stop it from functioning. Domain name kiting is when a person renews and cancels domains within five-day periods.
Your web server that conducts online transactions crashed, so you examine the HTTP logs and see that a search string was executed by a single user masquerading as a customer. The crash happened immediately afterward. What type of network attack occurred? a)DDoS b)DoS c)MAC spoofing d)MITM e)DNS amplification attack
Answer: B. Explanation: A denial-of-service (DoS) attack probably occurred. The attacker most likely used code to cause an infinite loop or repeating search, which caused the server to crash. It couldn't have been a DDoS (distributed denial-of-service) because only one attacker was involved. MAC spoofing is when an attacker disguises the MAC address of his network adapter with another number. MITM stands for the man-in-the- middle attack, which wasn't necessary since the attacker had direct access to the search fields on the web server. A DNS amplification attack is when an attacker spoofs DNS requests to flood a target website.
Which of the following misuses the Transmission Control Protocol handshake process? a)Man-in-the-middle attack b)SYN attack c)WPA attack d)Replay attack
Answer: B. Explanation: A synchronize (SYN) attack misuses the TCP three-way handshake process. The idea behind this is to overload servers and deny access to users. A man-in-the-middle (MITM) attack is when an attacker is situated between the legitimate sender and receiver and captures and (potentially) modifies packets in transit. Though not a common term, an example of a WPA attack would be the cracking of an access point's password. A replay attack is when data is maliciously repeated or delayed.
Dan is a network administrator. One day he notices that his DHCP server is flooded with information. He analyzes it and finds that the information is coming from more than 50 computers on the network. Which of the following is the most likely reason? a)Virus b)Worm c)Zombie d)PHP script
Answer: B. Explanation: A worm is most likely the reason that the server is being bombarded with information by the clients; perhaps it is perpetuated by a botnet. Because worms self-replicate, the damage can quickly become critical.
whitelisting, blacklisting, and closing open relays are all mitigation techniques addressing what kind of threat? a)Spyware b)Spam c)Viruses d)Botnets
Answer: B. Explanation: Closing open relays, whitelisting, and blacklisting are all mitigation techniques that address spam. Spam e-mail is a serious problem for all companies and must be filtered as much as possible.
Social Engineering, User Education, and Facilities Security 4. You go out the back door of your building and notice someone looking through your company's trash. If this person were trying to acquire sensitive information, what would this attack be known as? a)Browsing b)Dumpster diving c)Phishing d)Hacking
Answer: B. Explanation: Dumpster diving is when a person goes through a company's trash to find sensitive information about an individual or a company. Browsing is not an attack but something you do when connected to the Internet. Phishing is known as acquiring sensitive information through the use of electronic communication. Nowadays, hacking is a general term used to describe many different types of attacks.
How do most network-based viruses spread? a)By optical disc b)Through e-mail c)By USB flash drive d)By instant messages
Answer: B. Explanation: E-mail is the number one reason why network-based viruses spread. All a person needs to do is double-click the attachment within the e-mail, and the virus will do its thing, which is most likely to spread through the user's address book. Removable media such as optical discs and USB flash drives can spread viruses but not nearly as common as e-mail. A virus can also spread if it was incorporated into a link within an instant message, or as an attachment to the IM. This is definitely something to protect against, but not quite as common as e-mail-based viruses, especially in larger organizations' networks.
You are the security administrator for your organization and have just completed a routine server audit. You did not notice any abnormal activity. However, another network security analyst finds connections to unauthorized ports from outside the organization's network. Using security tools, the analyst finds hidden processes that are running on the server. Which of the following has most likely been installed on the server? a)Spam b)Rootkit c)Backdoor d)Logic bomb e)Ransomware
Answer: B. Explanation: Most likely, a rootkit was installed. These can evade many routine scans, so there is no fault here. It's just that more in-depth analysis was required to find the rootkit. The hidden processes are the main indicator of the rootkit.
Why would you implement password masking? a)To deter tailgating b)To deter shoulder surfing c)To deter hoaxes
Answer: B. Explanation: Password masking is when the characters a user types into a password field are replaced, usually by asterisks. This is done to prevent shoulder surfing. Tailgating is when an unauthorized person follows an authorized person into a secure area, without the second person's consent. Impersonation is when a person masquerades as another, authorized user. A hoax is an attempt at deceiving people into believing something that is false.
Jeff wants to employ a Faraday cage. What will this accomplish? a)It will increase the level of wireless encryption. b)It will reduce data emanations. c)It will increase EMI. d)It will decrease the level of wireless emanations.
Answer: B. Explanation: The Faraday cage will reduce data emanations. The cage is essentially an enclosure (of which there are various types) of conducting material that can block external electric fields and stop internal electric fields from leaving the cage, thus reducing or eliminating data emanations from such devices as cell phones.
A DDoS attack can be best defined as what? a)Privilege escalation b)Multiple computers attacking a single server c)A computer placed between a sender and receiver to capture data d)Overhearing parts of a conversation
Answer: B. Explanation: When multiple computers attack a single server, it is known as a distributed denial-of-service attack, or DDoS. Privilege escalation is when a person who is not normally authorized to a server manages to get administrative permissions to resources. If a computer is placed between a sender and receiver, it is known as a man-in-the-middle attack. Overhearing parts of a conversation is known as eavesdropping. rep
A group of computers running malicious software under control of a hacker is referred to as: a)Intranet b)Botnet c)Ethernet d)Subnet
Answer: B. Botnet Explanation: A group of computers running malicious software under control of a hacker is referred to as a botnet.
An antivirus software identifying non-malicious file as a virus due to faulty virus signature file is an example of: a)Fault tolerance b)False positive error c)Incident isolation d)False negative error
Answer: B. False positive error Explanation: An antivirus software identifying non-malicious file as a virus due to faulty virus signature file is an example of a false positive error.
The process by which malicious software changes its underlying code to avoid detection is called: a)Fuzzing b)Polymorphism c)Pharming d)Spoofing
Answer: B. Polymorphism Explanation: The process by which malicious software changes its underlying code to avoid detection is called polymorphism.
A computer program containing malicious segment that attaches itself to an application program or other executable component is called: a)Adware b)Virus c)Spam d)Flash cookie
Answer: B. Virus Explanation: The term computer virus refers to a program containing malicious segment that attaches itself to an application program or other executable component.
Turnstiles, double entry doors, and security guards are all preventative measures for what kind of social engineering? a)Dumpster diving b)Impersonation c)Piggybacking d)Eavesdropping
Answer: C. Explanation: Turnstiles, double entry doors, and security guards are all examples of preventative measures that attempt to defeat piggybacking. Dumpster diving is when a person looks through a coworker's trash or a building's trash to retrieve information. Impersonation is when a person attempts to represent another person, possibly with the other person's identification. Eavesdropping is when a person overhears another person's conversation.
A user complains that they were browsing the Internet when the computer started acting erratically and crashed. You reboot the computer and notice that performance is very slow. In addition, after running a netstat command you notice literally hundreds of outbound connections to various websites, many of which are well-known sites. Which of the following has happened? a)The computer is infected with spyware. b)The computer is infected with virus. c)The computer is now part of a botnet. d)The computer is now infected with a rootkit.
Answer: C. Explanation: The computer is probably now part of the botnet. The reason the system is running slowly is probably due to the fact that there are hundreds of outbound connections to various websites. This is a solid sign of a computer that has become part of a botnet. Spyware, viruses, and rootkits might make the computer run slowly, but they will not create hundreds of outbound connections.
What is amplification?
turning small attack into bigger attack, duh
Which of the following attacks is a type of DoS attack that sends large amounts of UDP echoes to ports 7 and 19? a)Teardrop b)IP spoofing c)Fraggle d)Replay
Answer: C. Explanation: A Fraggle attack is a type of DoS attack that sends large amounts of UDP echoes to ports 7 and 19. This is similar to the Smurf attack. Teardrop DoS attacks send many IP fragments with oversized payloads to a target. IP spoofing is when an attacker sends IP packets with a forged source IP address. The replay attack is when valid data transmissions are maliciously repeated or delayed.
Which of the following types of malware appears to the user as legitimate but actually enables unauthorized access to the user's computers? a)Worm b)Virus c)Trojan d)Spam
Answer: C. Explanation: A Trojan, or a Trojan horse, appears to be legitimate and looks like it'll perform desirable functions, but in reality is designed to enable unauthorized access to the user's computer.
A man pretending to be a data communications repair technician enters your building and states that there is networking trouble and he needs access to the server room. What is this an example of? a)Man-in-the-middle attack b)Virus c)Social engineering d)Chain of custody F
Answer: C. Explanation: Any person pretending to be a data communications repair person would be attempting a social engineering attack.
Of the following, which type of fire suppression can prevent damage to computers and servers? a)Class A b)Water c)CO2 d)ABC extinguishers
Answer: C. Explanation: CO2 is the best answer that will prevent damage to computers because CO2 is air-based, not water-based. CO2 displaces oxygen. Fire needs oxygen; without it the fire will go out. All the other options have substances that can damage computers. However, because CO2 can possibly cause ESD damage, the best solution in a server room would be Halotron or FE-36.
Which of the following types of scanners can locate a rootkit on a computer? a)Image scanner b)Barcode scanner c)Malware scanner d)Adware scanner
Answer: C. Explanation: Malware scanners can locate rootkits and other types of malware. These types of scanners are often found in anti-malware software from manufacturers such as McAfee, Symantec, and so on. Adware scanners (often free) can scan for only adware. Always have some kind of anti-malware software running on live client computers!
If a person takes control of a session between a server and a client, it is known as what type of attack? a)DDoS b)Smurf c)Session hijacking d)Malicious software
Answer: C. Explanation: Session hijacking (or TCP/IP hijacking) is when an unwanted mediator takes control of the session between a client and a server (for example, an FTP or HTTP session).
Which of the following types of viruses hides its code to mask itself? a)Stealth virus b)Polymorphic virus c)Worm d)Armored virus
Answer: D. Explanation: An armored virus attempts to make disassembly difficult for an antivirus software program. It thwarts attempts at code examination. Stealth viruses attempt to avoid detection by antivirus software altogether. Polymorphic viruses change every time they run. Worms are not viruses.
Which of the following computer security threats can be updated automatically and remotely? (Select the best answer.) a)Virus b)Worm c)Zombie d)Malware
Answer: C. Explanation: Zombies (also known as zombie computers) are systems that have been compromised without the knowledge of the owner. A prerequisite is the computer must be connected to the Internet so that the hacker or malicious attack can make its way to the computer and be controlled remotely. Multiple zombies working in concert often form a botnet.
Malware that restricts access to a computer system by encrypting files or locking the entire system down until the user performs requested action is known as: a)Grayware b)Adware c)Ransomware d)Spyware
Answer: C. Ransomware Explanation: Malware that restricts access to a computer system by encrypting files or locking the entire system down until the user performs requested action is known as ransomware.
A collection of software tools used by a hacker in order to mask intrusion and obtain administrator level access to a computer or computer network is known as: a)Backdoor b)Botnet c)Rootkit d)Armored virus
Answer: C. Rootkit Explanation: A collection of software tools used by a hacker in order to mask intrusion and obtain administrator-level access to a computer or computer network is known as rootkit.
What is adware? a)Unsolicited or undesired electronic messages b)Malicious program that sends copies of itself to other computers on the network c)Software that displays advertisements d)Malicious software that collects information about users without their knowledge
Answer: C. Software that displays advertisements Explanation: Adware is a type of software that displays advertisements on the user system, often in the form of a pop-up window. Unsolicited or undesired electronic messages are known as spam. Malicious program that sends copies of itself to other computers on the network is called computer worm. Malicious software that collects information about users without their knowledge is called spyware.
Which of the following is a common symptom of spyware? a)Infected files b)Computer shuts down c)Applications freeze d)Pop-up windows
Answer: D. Explanation: Pop-up windows are common to spyware. The rest of the answers are more common symptoms of viruses.
Which of the following targets specific people? a)Pharming b)Phishing c)Vishing d)Spear phishing
Answer: D. Explanation: Spear phishing is a targeted attack, unlike regular phishing, which usually works by contacting large groups of people. Pharming is when a website's traffic is redirected to another, illegitimate, website. Vishing is the phone/VoIP version of phishing.
Making data appear as if it is coming from somewhere other than its original source is known as what? a)Hacking b)Phishing c)Cracking d)spoofing
Answer: D. Explanation: Spoofing is when a malicious user makes data or e-mail appear to be coming from somewhere else.
You are the network administrator for a small organization without much in the way of security policies. While analyzing your servers' performance you find various chain messages have been received by the company. Which type of security control should you implement to fix the problem? a)Antivirus b)Anti-Spyware c)Host-based firewalls d)Anti-Spam
Answer: D. Explanation: The chain messages are e-mails (similar to the archaic chain letter) that are being spammed on the network. Therefore, anti-spam security controls need to be implemented. This would be a type of preventive control. Antivirus programs find and quarantine viruses, worms, and Trojans, but unless they are part of an AV suite of software, they will not check e-mail. Anti-spyware tools will attempt to prevent spyware from being installed on the computer. Host-based firewalls block attacks from coming through specific parts, but will not catch spam messages.
Which type of attack uses more than one computer? a)Virus b)DoS c)Worm d)DDoS
Answer: D. Explanation: A DDoS, or distributed denial-of-service, attack uses multiple computers to make its attack, usually perpetuated on a server. None of the other answers use multiple computers.
One of your co-workers complains of very slow system performance and says that a lot of antivirus messages are being displayed. The user admits to recently installing pirated software and downloading and installing an illegal keygen to activate the software. What type of malware has affected the user's computer? a)Worm b)Logic bomb c)Spyware d)Trojan
Answer: D. Explanation: A Trojan was probably installed (unknown to the user) as part of the keygen package. Illegal downloads often contain malware of this nature. At this point, the computer is compromised. Not only is it infected, but malicious individuals might be able to remotely access it.
What is a malicious attack that executes at the same time every week? a)Virus b)Worm c)Ransomware d)Logic bomb
Answer: D. Explanation: A logic bomb is a malicious attack that executes at a specific time. Viruses normally execute when a user inadvertently runs them. Worms can self-replicate at will. Ransomware is a type of malware that restricts access to files (or entire systems) and demands a ransom be paid.
Which of the following is not an example of malicious software? a)Rootkits b)Spyware c)Viruses d)Browser
Answer: D. Explanation: A web browser (for example, Internet Explorer) is the only one listed that is not an example of malicious software. Although a browser can be compromised in a variety of ways by malicious software, the application itself is not the malware.
What is the most common reason that social engineering succeeds? a)Lack of vulnerability testing b)People sharing passwords c)Lack of auditing d)Lack of user awareness
Answer: D. Explanation: User awareness is extremely important when attempting to defend against social engineering attacks. Vulnerability testing and auditing are definitely important as part of a complete security plan but will not necessarily help defend against social engineering and definitely will not help as much as user awareness training. People should not share passwords.
Which of the following answers refers to an undocumented way of gaining access to a program, online service or an entire computer system? a)Tailgating b)Rootkit c)Trojan horse d)Backdoor
Answer: D. Backdoor Explanation: The term backdoor refers to an undocumented way of gaining access to a program, online service or an entire computer system.
Which of the following attacks uses multiple compromised computer systems against its target? (Select best answer) a)Spear phishing b)DoS c)Watering hole attack d)DDoS
Answer: D. DDoS Explanation: A Distributed Denial of Service (DDoS) attack uses multiple compromised computer systems to perform an attack against its target. The intermediary systems that are used as platform for the attack are the secondary victims of the DDoS attack; they are often referred to as zombies, and collectively as a botnet. The goal of DoS and DDoS attacks is to flood the bandwidth or resources of a targeted system so that it becomes overwhelmed with false requests and in result doesn't have time or resources to handle legitimate requests.
Which of the following is an example of active eavesdropping? a)Phishing b)DDoS c)Xmas attack d)MITM
Answer: D. MITM Explanation: Man-In-The-Middle attack (MITM) falls into the category of active eavesdropping.
Which of the following answers refers to a general term used to describe software designed specifically to damage or disrupt the operation of a computer system? a)Adware b)Spyware c)Spam d)Malware
Answer: D. Malware Explanation: Unwanted programs designed specifically to damage or disrupt the operation of a computer system are referred to as malicious software, or malware.
Malicious software collecting information about users without their knowledge/consent is called: a)Logic bomb b)Adware c)Computer worm d)Spyware
Answer: D. Spyware Explanation: Malicious software collecting information about users without their knowledge/consent is called spyware.
What is a known plain text/cipher text?
Attacker has both the plaintext and the encrypted data. Basically if you know some/all the plain text, you can find a wedge that is revealed in the ciphertext that allows you to crack
What is a brute force attack?
Keep trying the login process
What kind of attack is it when the packets sent do not require a synchronization process and are not connection-oriented? a)Man-in-the-middle attack b)TCP/IP hijacking c)UDP attack d)ICMP flood
Explanation: User Datagram Protocol (UDP) attacks, or UDP flood attacks, are DoS attacks that use a computer to send a large number of UDP packets to a remote host. The remote host will reply to each of these with an ICMP Destination Unreachable packet, which ultimately makes it inaccessible to clients. The man-in-the-middle (MITM) attack is when an attacker secretly relays and possibly alters information between two parties. TCP/IP hijacking is an attack that spoofs a server into thinking it is talking with a valid client when in reality it is not. An ICMP flood (or ping flood) is a basic DoS where many ICMP packets are sent out without waiting for replies.
What is offline and online brute force attack?
Online- keep trying the login process, very slow and can be defended against by lockout after # of failed attempts Offline- obtain a list of users and hashes, calculate a password hash, compare it to a stored hash-- requires a large computational resource
What is RFID?
Radio Frequency Identification
What is a WPS attack?
WPS had a design flaw-- pin is 8 numbers (really 7 and a checksum), WPS would validate the first 4 numbers and then the last 3 numbers. Because it was doing them in smaller chunks it was possible to go through all PIN combinations in 4 hours. Has been improved (but not fixed) with lockout and slowdown, now takes about one day to one week to crack
What is a watering hole attack?
Watering hole is a computer attack strategy, in which the victim is of a particular group. In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with malware. Eventually, some member of the targeted group becomes infected
What is WPS?
Wi-Fi Protected Setup, a one-touch Wi-Fi security protocol
What is crypto-malware?
a much more malicious version of ransomware that encrypts all files on a device, preventing a user from opening or accessing the files
What is disassociation?
a significant wireless denial of service attack, basically a way to get kicked off of a wireless network-- an issue with 802.11 wireless management frames that were unprotected (no authentication or validation). 802.11w corrected for this
What is a buffer overflow attack?
a type of injection attack where more information than an application can handle is inserted and can provide an attacker with system-level access
What is domain hijacking?
actually hijacking the domain registration of a website, giving attacker control of where the traffic flows (don't need to touch the actual servers)
What is an injection attack?
an attack that relies on it's users being able to input information directly into an application without proper input validation
What are weak implementations?
basically, weak encryption-- one weak link breaks the entire chain. 802.11 WEP is an example of this (the RC4 key could be recovered by gathering enough packets, the algorithm didn't sufficiently protect the key). DES is another example (relatively small 56-bit keys, modern systems can brute force this pretty quickly)
What is DNS poisoning
changes the DNS records on a system to point to false servers where the data is recorded
How do RFID attacks work?
data capture, spoofing the reader, jamming, communication can be decrypted (lots of keys are online)
What is replay attack?
essentially it's an attack where a hacker is monitoring a network during authentication and captures useful information like username and password hash, then sends his own authentication request using the captured credentials-- "replaying the captured data to appear as someone else". not a man in the middle attack
What is cross site scripting?
manipulating a website directly by injecting scripts that are run by a user's client (eg web browser)-- a client-side attack
What is NFC?
near field communication-- two way wireless communication, builds on RFID.
